[gimp/metadata-browser] file-gif-load: limit len and height (CVE-2012-3481)



commit ef4236345a0693454aed4be18eac544a33cfcf9f
Author: Jan Lieskovsky <jlieskov redhat com>
Date:   Tue Aug 14 12:18:22 2012 +0200

    file-gif-load: limit len and height (CVE-2012-3481)
    
    Ensure values of len and height can't overflow g_malloc() argument type.

 plug-ins/common/file-gif-load.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)
---
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 4fdbe7a..4287b46 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -1057,6 +1057,13 @@ ReadImage (FILE        *fd,
   cur_progress = 0;
   max_progress = height;
 
+  if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
+  {
+    g_message ("'%s' has a larger image size than GIMP can handle.",
+               gimp_filename_to_utf8 (filename));
+    return -1;
+  }
+
   if (alpha_frame)
     dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
   else



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]